9a5992336e
Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
33 lines
1.3 KiB
Plaintext
33 lines
1.3 KiB
Plaintext
# Any toolbox command run by init.
|
|
# Do NOT use this domain for toolbox when run by any other domain.
|
|
type toolbox, domain;
|
|
type toolbox_exec, system_file_type, exec_type, file_type;
|
|
|
|
# /dev/__null__ created by init prior to policy load,
|
|
# open fd inherited by fsck.
|
|
allow toolbox tmpfs:chr_file { read write ioctl };
|
|
|
|
# Inherit and use pty created by android_fork_execvp_ext().
|
|
allow toolbox devpts:chr_file { read write getattr ioctl };
|
|
|
|
# mkswap-specific.
|
|
# Read/write block devices used for swap partitions.
|
|
# Assign swap_block_device type any such partition in your
|
|
# device/<vendor>/<product>/sepolicy/file_contexts file.
|
|
allow toolbox block_device:dir search;
|
|
allow toolbox swap_block_device:blk_file rw_file_perms;
|
|
|
|
# Only allow entry from init via the toolbox binary.
|
|
neverallow { domain -init } toolbox:process transition;
|
|
neverallow * toolbox:process dyntransition;
|
|
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
|
|
|
|
# rm -rf /data/per_boot
|
|
allow toolbox system_data_root_file:dir { remove_name write };
|
|
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
|
|
allow toolbox system_data_file:file { getattr unlink };
|
|
|
|
# chattr +F /data/media in init
|
|
allow toolbox media_userdir_file:dir { r_dir_perms setattr };
|
|
allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
|